0

So my question has been explained from the title. I'd like to know how to detect whether a user is using keytab or password for authentication to Domain Controllers. I'm thinking about checking for log file to see what session has been used and if possible I'm not sure it will tell me something specific to distinguish them?

Update 1:

I'm thinking about checking for log file to see what session has been used and if possible I'm not sure it will tell me something specific to distinguish them?

this is not yet investigated

Ender
  • 604
  • 3
  • 9
  • 13

1 Answers1

0

In this case, if a user is using keytab, after the keytab generation by the following this command: eg:

ktpass -out centos1-dev-local.keytab -mapUser krbCentos@DEV.LOCAL +rndPass -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princ HTTP/centos1.dev.local@DEV.LOCAL

The User logon name changes into an SPN, so it can be found by Kerberos clients looking it up. Note that the checkbox "This account supports Kerberos AES 256 bit encryption" under Account Options is selected. The checkbox must be manually selected after the keytab generation otherwise you'll receive an error along the lines of 'Cannot find key of appropriate type to decrypt AP REP...".

Through this, we can use PowerShell to look up for a user using keytab by finding its Logon Name or msDS-SupportedEncryptionType attribute.

enter image description here

Ender
  • 604
  • 3
  • 9
  • 13
  • Good that you found a solution to your problem. However, the answer matches in no way to the question you asked earlier. You should either change your answer to actually answer your question, or, as long as no other answers or comments exist, change your question in a way so it matches your answer. In the current state it most probably will only attract downvotes. – Gerald Schneider Apr 23 '18 at 07:28
  • @GeraldSchneider Updated! – Ender Apr 23 '18 at 08:35